GDPR explained. What’s the GDPR? What does the new regulation mean for you as an individual? What does it mean for you as a company or organisation? Read our FAQs to find out more, or send us a question and we’ll try and answer it here!

The GDPR: Everything you wanted to know

Sorry, but nothing matched your search terms. Please try again with some different keywords.

What is the GDPR?

Data protection by design and default: what is it all about?

Data protection by design means that companies and organisations should take privacy into account when designing, implementing and operating any technology which processes personal data. Prior to the GDPR, the burden was on the user to take privacy protecting measures within a given product or a service; by changing the default settings, opting out, or turning on access controls, for example on location data. The GDPR privacy by design and by default principle requires that privacy standards are built into the technology and offered to the user by default. The GDPR shifts the burden of implementing privacy protecting measures from the user on to the company or organisation.

How are the freedom of expression and the freedom of the press protected by the GDPR?

The GDPR contains certain provisions that balance the right to privacy with the right to freedom of expression and freedom of the press. The most important one is Article 85, in which work for “journalistic purposes or the purpose of academic, artistic or literary expression” is exempt from certain data processing obligations. Article 17.3a provides an exemption from “the right to be forgotten”, if processing of personal data is necessary for the exercise of the right of freedom of expression and information.
It is important to note that:

The GDPR gives the individual Member States flexibility on how they can interpret Article 85 and strike a balance between data protection and freedom of expression in their national legislations. Given that the scope of Article 85 may be subject to various interpretations, you should consult domestic laws for individual cases.

Article 85 does not diminish other GDPR data protection responsibilities. For example, media will not be exempt from the requirement of having appropriate security measures in place to prevent data breaches.

How can I request my data from a company?

Companies or organizations should provide you with a clear process through which you can get access to your data. The GDPR does not specify in which format your data should be made accessible to you, but requires that such format is “commonly used” and “machine readable”.
Note that if you are requesting data to exercise your right to data portability, this only applies to data you have provided to a company or organisations (on the basis of the contract or on the basis of your own consent). You can not request data portability from a third party. For example, you can not request your data which is collected by third party trackers (other companies that track you with cookies and other scripts) on a website.

Can the data request be subject to a payment or must it be provided free of charge?

Information about the processing of your personal data, as well as the first copy of your data, must be provided free of charge. For further copies the company or organisation may charge a reasonable fee based on their administrative costs (e.g. the cost of mailing the copy to you). However, the company or organisation is not allowed to make a profit out of it. If you feel that the fee is too high, you can contact your national Data Protection Authority.

I get emails from a company of which I was never a customer. What should I do? Report them to the DPA? Ask them to delete my information?

You can try a couple of things:

First, ask them for a copy of your data (to check what sort of data they actually have “on you”). According to the GDPR they should provide you with information about the source of this data, the legal ground on which they are processing it and the purpose of such processing.

If you are not convinced (you still believe that what they do is illegal or you simply do not like it), you can request that your data be deleted. But keep in mind that if there was any contract between you and this company in the past, they may be under legal obligation to keep your data for certain period of time.

Finally, if you think that what they did with your data was illegal, you can file a complaint with your DPA.

Is it permissible to request an approval for an updated privacy policy together with a change of the terms and conditions and to deny access to a service in case of refusal?

According to the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes”. It should be a clear affirmative act in which you agree to the way the company or organization proposes to process your data. Consent can be given by ticking a box when visiting an internet website, or another statement or conduct, so long as it clearly indicates your intention to say “yes, I agree”.
Consent cannot be implied from your inactivity or a random action. The fact that you continue to use a given service or the fact that you closed the pop up informing you about GDPR does not mean that you gave consent. Only “clear affirmative actions ” can be interpreted as consent. For example, the fact that you typed your e-mail in the box requesting a newsletter can be interpreted as consent for data to be processed for this purpose.
Consent cannot be forced in any way (eg. by saying that without consent for processing data you cannot use a given service), nor can it be “hidden” in the general terms and conditions. It is not possible to agree to general terms and conditions AND to specific types of data processing with the same click. However, keep in mind that:

Often companies do not have to ask for your consent, because they have other legal grounds to process your data (eg. data that is necessary to provide the service you want; data that is justified by their legitimate interest);

It is okay to demand that you accept general terms and conditions of a given service (otherwise how can you use it?), as long as there is no hidden “consent clause” inside. Privacy policy (or similar, non-negotiable documents) can only refer to data that is required (necessary) if you want to use this service.

How do I know that the data protection by design principle is applied?

Data protection by design will not always be visible to you as the user. This principle covers privacy-protective solutions which range from user settings, to business practices, to networked infrastructures. However, you may experience certain functionalities that show respect for your privacy: friendly interface to access and manage your data (privacy dashboard); end-to-end encryption in your chat app or email; or obligatory authorisation (preferably in two steps) to increase data security.

Can a foundation, NGO or volunteer network continue to use previously collected e-mail addresses to send out mailing lists, news and updates?

The short answer is: it depends!

If you asked people for their consent to use their e-mail addresses (when they were collected) for this purpose, such consent is still valid;

If you never asked for such consent, but the whole point of collecting those e-mails was to stay in touch with your organisation - and people who gave you their data were aware of this - you probably have “legitimate interest” in using their e-mails to send updates and/or newsletters.

But if people who gave you their e-mail addresses in the past had no reasonable expectation that you will use them in the future to send updates and/or newsletters (e.g. they were provided exclusively to process a single payment or sign one specific petition), then you probably need to ask for consent.

I run a small non-profit blog or message board. Does the GDPR apply to me?

Do you process data of your users or readers for whatever purpose (to stay in touch, to share important updates, to see who is visiting your website etc.)? If so, then the GDPR applies to you. It applies to all sorts of data processing, regardless of whether it is done for profit or on non-profit basis, with few exceptions.
Individuals are exempt if they collect data for ‘personal or domestic use’ - for example if they store personal contact details on their phone. But this exception does not cover blogging if it is public and professional (not personal) activity.

How would a company violating the GDPR, that only has a physical presence outside the EU, be punished for not cooperating or implementing the regulation properly?

Even though the GDPR aims to protect personal data of European citizens, even when the company or organizations is located outside the EU, it does not meant that EU law can (formally) be enforced outside the boundaries of Europe. There are long standing rules and norms around international jurisdiction that must be followed before regulatory agencies and courts can exercise jurisdiction over distant subjects. Therefore, the execution of decisions made by European courts and DPAs will, essentially, depend on courts and other relevant bodies in those foreign countries and will require starting separate proceedings in those countries.

Is there a risk of jurisdiction arbitrage in enforcement of the GDPR?

The GDPR is enforced by national Data Protection Authorities and civil courts. In our opinion the risk of jurisdiction arbitrage is low because:

Individuals can sue companies (in courts) and file complaints (with DPAs) in their country of residence or in the European country where data protection infringement took place (so it does not matter where the company is located).

If the complaint is filed with the DPA (not the court), the EU coordination mechanism (European Data Protection Board https://edpb.europa.eu/) will ensure that national DPAs do not make arbitrary decisions in matters that are relevant to other countries.

What does it do?

Regulates how personal data can be processed by private businesses, state administration and other organisations. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)

The GDPR also regulates that personal data should be stored and processed securely.

Who is it for?

The GDPR is designed to protect the personal data of everyone who lives in the European Union. The regulation aims to create one standard for all European countries, thereby simplifying doing business across the continent.

Who is responsible for enforcing the rules?

The European Union and its Member States are responsible for enforcing the GDPR.
Each country is required to set up an independent public Data Protection Authority (DPA) to make sure that the GDPR is being applied, to handle complaints lodged by individuals, and to impose fines when necessary, approve codes of conduct, and raise awareness (e.g. by running educational campaigns).
Direct complaints by individuals about companies or organisations will be enforced by the Data Protection Authorities and national courts, in consultation with the European Court of Justice where necessary.

Who has to comply?

The regulation will be applied directly and equally in all 28 European Union countries, to all private businesses, state administration and other organisations that hold and process personal data. These entities have had over two years - since 27 April 2016 - to prepare for compliance.

But the regulation also applies to companies and organisations operating outside the EU: If a company or organisation processes the personal data of individuals living within the EU, it has to comply with the GDPR - no matter where that company or organisation is based.

Will there be additions or changes to the GDPR in the near future?

It is unlikely for new legislation to be introduced in the near future, however we can expect the GDPR to be clarified in the next few years through guidelines developed by DPAs, litigation, and precedents.

The EU is also currently working on a new regulation called ePrivacy, which will complement the GDPR when it comes to data processed online.

Who does not have to comply with the GDPR?

Certain state bodies, including intelligence agencies, the police and the courts, will be governed by separate national rules.

Individuals are exempt if they are collecting data for ‘personal or domestic use’ - for example if they store personal contact details on their phone.

Churches can maintain their own regulations for the protection of personal data and their own bodies supervising this area - but their rules must still be in line with the GDPR.

What’s new?

Though the GDPR is more of an evolution than a revolution of existing EU rules, it nonetheless includes some substantial changes to what came before. Among other things, the new regulation:

Grants individuals some new rights (e.g. the right to move your own data from one company or service to another, and the right to request a copy of the data a company or organisation holds on you); and requires companies and organisations to be more transparent (e.g. they need to inform you where the data they are processing comes from, and for what purposes it is being processed; they need to inform you if you are being profiled).

Makes it easier to more effectively enforce the law (e.g. through fining companies or organisation, or allowing individuals to go directly to court in the case of a violation).

Simplifies the rules by applying the exact same law to all EU countries, but offers more flexibility in how businesses actually comply with the law.

What exactly is personal data?

Personal data is at the heart of the GDPR – the regulation does not apply to all the data companies have.

Personal data is any information that can be linked to an identifiable individual. Since identification of an individual can often be done by putting different pieces of information together (even without a name attached), what counts as personal data can be quite broad. A shoe size, a hobby or an image, for example, could all be classified as personal data if it’s possible to identify which person these bits of information apply to.

Note too that it doesn’t necessarily have to be the data controllers themselves (the companies or organisations processing the data) who are capable of identification.

How should we respond in the case of a data breach?

Under the GDPR, you need to report any breach to the Data Protection Authority generally within 72 hours of becoming aware of it. You also have to inform the individuals whose data you have processed, when it is likely that the breach could have a negative impact on them - for example if financial data is leaked, or if unauthorised persons might have access to their medical information.

How can we make sure that the data we process is properly secured?

Your organisational action plan to secure the data you have will depend on a wide range of factors: for example the types of data you store, how sensitive it is, how much you have, how complex your digital infrastructure is, and whether you have in-house digital security knowledge or choose to outsource. At minimum, however, you should take the following steps:

List what personal data you hold and map out where you store this data.

Do a risk assessment, pinpointing the most likely sources of unauthorised access/leaks.

Implement a data protection action plan that builds on your risk assessment, which includes: data minimisation (collect, process and store only the data you absolutely need); access control (limit who has access to personal data); storage security (where do you store personal and/or sensitive data? Is it stored separately from non-personal/non-sensitive data? Is it stored encrypted?); staff digital hygiene; and a data retention, archiving and deletion policy.

Write down all the actions you have taken to protect the personal data you have.

Set up and test a data breach action plan, which should include roles and responsibilities, reporting to the DPA, and so on.

Put together a plan for periodically revisiting these steps.

Do you need to run HTTPS to be GDPR compliant? No, it is not mandatory to implement HTTPS on your website, but it is good practice (recommended by Data Protection Authorities). For more information about HTTPS visit Lets Encrypt.

What risks do we run if we don’t implement the GDPR correctly?

You run the risk of being fined by a national Data Protection Authority; you could also be sued directly by an individual if you have violated that person’s rights. However perhaps the greatest risk lies in losing your customers’ trust. Surveys show that most people want to be sure that their data is not abused, and are increasingly concerned about the protection of their privacy.

Is there a minimum approach?

The GDPR is primarily concerned with a risk assessment that every company or organisation does for itself, not about “one size fits all” solutions. A starting point should be understanding the importance of people’s right to control information about themselves, and your responsibility for making sure that when people use your services, this right is upheld. Guidelines issued by the Article 29 Working Party offer examples of good and bad practices. You should find useful guidelines on the website of your national Data Protection Authority as well.

Can I get a fine, and how will fines be applied?

If you do not comply with the GDPR, the Data Protection Authority can give you a fine. This could be the result of either a complaint lodged by an individual or a control initiated by the DPA itself.

The Data Protection Authority has to make sure that the fine in each individual case is effective, proportionate, and dissuasive. The DPA will take into consideration, among other things, the nature and gravity of the infringement; the level of negligence involved; whether you have taken any actions to mitigate the damage; and the budget of your company or organisation.

Fines can go up to a maximum of 4% of a organisation’s annual turnoveror up to 20 million EUR - whichever figure is higher.

Are we doing enough?

As an company or organisation, it’s up to you to evaluate this, looking specifically at the nature of your business model and the privacy risks associated with it. A good place to start is the website of your national Data Protection Authority, which is likely to have useful tips and guidelines.

How do we know if we’re ready?

At minimum, you should be able to answer YES to the following questions:

Have we mapped out what personal data we process, and for what purposes?

Can we justify the processing of each category of data (i.e. name the legal basis that underpins our right to do so)?

Do we provide information to our users/clients about how we process personal data?

Have we put procedures in place when it comes to deleting data we no longer need?

Do we know what to do when an individual decides to use his or her rights under the GDPR, such as the right to get a copy of their data? [should link to the USER page]

Have we mapped out the level and source of any risks that relate to the ways in which we process data? Have we taken steps to mitigate these risks?

Do we have a response procedure in place in the event of an unauthorised person gaining access to personal data?

Have we made sure everyone in the company/organisation knows the correct procedures for processing and securing personal data?

Do we have a plan in place for periodically re-evaluating our data processing practices?

Did we have to register somewhere?

No. In contrast with the EU Data Protection Directive of 1995, the GDPR does not require you to register your databases with the Data Protection Authority (DPA). However if you appoint a data protection officer in your company, you should send the DPA his or her contact details.

Under the GDPR, you need to appoint a data protection officer if:

you are a public body (e.g. ministry, school, public hospital);

your business involves regular and systemic monitoring of people’s data on a large scale (e.g. big tech companies, or companies that do credit scoring or video surveillance); or

you processes sensitive data on a large scale (e.g. hospitals).

Is there an official way of implementing the GDPR?

Taking into account the wide variety of factors that come into play when a company or organisation processes personal data, the GDPR is not a one-size-fits-all checklist of implementation measures.

In general terms, the GDPR offers individuals (or “data subjects”) certain rights, and you need to make sure that you are able to uphold these rights. At a basic level, you will need to get to know the ins and outs of what data you process and how you process it, and assess what risks this poses to the data subjects. Generally speaking, the higher the risk, the more you will have to do to protect the data; if you store sensitive personal data (related to health, sexuality etc.) or payment details, you have a greater responsibility to protect it than if you have data on people’s shoe sizes.

To make sure your company or organisation is in compliance with the GDPR, you should start by assessing your current data practices and procedures (map all your data flows), then evaluate these and adapt them as needed to fulfil the requirements of the GDPR. Document your reasonings and actions; then make sure to monitor and periodically review your practices.

Does the GDPR apply to US companies or organisations?

Yes. As soon as a company or organisation monitors or tracks the behaviour of internet users on EU territory, the regulation will kick in – no matter where the company or organisation is based.

Does the GDPR apply to the data my employer has on me?

Yes. Your employer, like any other organisation that processes data, has to conform to the GDPR. However each EU member state can adopt more specific rules when it comes to the employment relationship. If you’re interested in this, you should look for more information on your national Data Protection Authority’s website.

Why are some companies or organisation critical of the GDPR?

Many companies and organisation have become used to treating your data as a ‘free resource’ - something they could take without asking permission and exploit for their own financial gain; something they could collect without limit, without protecting it. The GDPR is a powerful tool to force companies to re-evaluate the risks involved – not just to the individuals whose data they process, but also to themselves, in terms of fines and loss of customer trust - and to treat your data with the common-sense care and respect that should really have been in place from the beginning.

What can I do if a company or organisation is using my personal data against my will?

It may be useful to contact the company or organisation itself first. Regardless of whether you do that, however, you can also file a complaint with your national Data Protection Authority - even if the company or organisation does not have an office in your country. And if you’re not satisfied with the DPA’s decision, you can take the company or organisation to court.

You can also skip the DPA and go directly to court if you feel your rights have been violated.

If as a result of a violation you have suffered material or non-material damage, you can seek financial compensation.

Third parties, such as consumer protection agencies, digital rights foundations or other interest groups, could also litigate on behalf of you and others.

Can I talk to companies about their use of my data?

Absolutely! The GDPR requires that companies and organisations respond to questions about personal data. This includes whether or not they process your personal data in the first place, and if so for what purpose, how long it will be stored, and with whom it is shared. And if you ever change your mind about what you have consented to or accepted, companies and organisations are also required not only to make it easy for you to communicate this choice, but also to act upon it.

Does it mean I can “delete” myself?

Not quite. You can’t delete all your personal data whenever you want to. But you can ask to have your data deleted in a few specific situations - for example if a company or organisation no longer needs it it in order to provide the service you are using, or if you decide to withdraw your consent. However, even in such cases, companies or organisations may still have viable reasons to keep your data, for example for tax purposes or to protect themselves from possible future claims.

Do I need to do anything?

No. It’s up to companies and organisations to make sure that your personal data is protected. There are, however, still decisions you’ll need to make.

For new services you want to use: If the company is asking you to give them data, do you really want to agree? (If the service only processes necessary data, they are required to inform you but do not need to ask for special consent to do so. They do, however, need to ask for explicit consent when they want data that’s not necessary).

For the services you’re using at the moment: Are you still comfortable with the way the company or organisation collects, analyses and shares your personal data? If you no longer agree, you can simply say “no”.

Finally: if you think your rights are not being upheld, you can decide to report it to your DPA, or even challenge the company in court.

How will these rights be enforced?

Each country will have an independent public Data Protection Authority (DPA) to ensure that companies are in compliance with the regulation. You have the right to lodge a complaint with your DPA or to go to court if you feel that your rights have been violated.

What are my rights under the GDPR?

1. You have the right to information.

Companies and organisations are now required to communicate to you, in plain and accessible language, what personal data they process and how they use it. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)

If a company or organisation builds a profile on you (e.g. from data matched up from different sources), you have the right to know what’s in this profile.

2. You have the right to secure handling.

The GDPR regulates that personal data should be stored and processed securely.

3. You have the right to access the personal data a company or organisation holds on you, at any time.

If the data is inaccurate, you can change or complete it.

If the data is no longer necessary, you can ask the company or organisation to delete it.

If you initially gave the company or organisation more data than was necessary for receiving the service (e.g. for marketing purposes), but no longer want them to have this data, you can ask them to delete it.

4. You have the right to use a service without giving away additional data .

If a company or organisation wants to process personal data that is not strictly necessary for the provision of a particular service (e.g. a transport app that wants access to your phone’s contact list), they need to get your explicit consent to process that data. . (Note that even if a company or organisation believes that certain data is in their interest to process, this does not always mean that it is necessary). If you have already consented to the processing of additional data, you can always withdraw this consent.

5. When it comes to automated decision-making you have the right to explanation and human intervention. If a decision has been made about you through automatic mechanisms, you have the right to:

know how the decision was made (i.e. you are entitled to an explanation of the logic behind the mechanism used);

disagree with the result of this decision (eg. with the fact that you were denied a credit because of a “wrong” scoring result);

demand human intervention (eg. a person that you can talk to should verify how the decision was made and whether the result is fair).